---------------------
 JMP!CRACKME by |PSA|
                *crackyou*
--------[ Shaman ]--------
                               
                  
                  
                  
                         
---------------------
        United Crackers League          
[WIN95]-------------[Jan 98]
         E-mail: whshaman@iname.com       
         Fido  : 2:5064/3.5@fidonet       
---------------------



How to crack this "crackme":

1. Find this code:

 00000000: B409          mov    ah,009
 00000002: BA2A01        mov    dx,0012A
 00000005: CD21          int    021         ; write copyrights
 00000007: B40A          mov    ah,00A
 00000009: BAFF04        mov    dx,004FF    ; input 4-symbols password
 0000000C: CD21          int    021
 0000000E: 8B1E0305      mov    bx,[00503]  ; in [503] our password (2 last bytes)
 00000012: BEE704        mov    si,004E7    ; at this address some crypted data
 00000015: 8BFE          mov    di,si
 00000017: B90C00        mov    cx,0000C    ; counter, 12 words
 0000001A: AD            lodsw
 0000001B: D3C0          rol    ax,cl
 0000001D: 33C3          xor    ax,bx	    ; crypt code and store back,
                                            ; in bx _always_ 2 last symbols
                                            ; of our password hehe
 0000001F: 02D0          add    dl,al       ; checksum
 00000021: AB            stosw              ; store back decrypted word
 00000022: E2F6          loop   00000001A
 00000024: 80EA68        sub    dl,068      ; checking checksum
 00000027: 7431          je     00000005A   ; all right, then going to 5a...
 00000029: C3            retn



2. I write 1-st program (1.pas), to calculate all accessable passwords,
password is xxYx, when y is one of following symbols:

$10, $1c, $70, $7c, $90, $9c, $f0, $fc, 
' ', ' ', 'p', '|', '', '', '', ''


but PSA say what all symbols in password is typeable (i think what it's from
region $20-$ff ;-), then calculating this passwdords for one from $70...$fc
we get 172032 combinations, for 6 first symbols we get finaly:

                        172032*6=1032192 combinations.

Uuuuh bad :(, ok, next step...



3. Let's look at the crypter:

 00000017: B90C00        mov    cx,0000C    ; counter, 12 words
 0000001A: AD            lodsw
 0000001B: D3C0          rol    ax,cl
 0000001D: 33C3          xor    ax,bx       ; kill (nops) this command 
                                            ; in the debugger and get 'clear'
                                            ; precrypted dump after loop...
 0000001F: 02D0          add    dl,al
 00000021: AB            stosw
 00000022: E2F6          loop   00000001A

Was:
000004E7:  46 F8 6B F0 D6 1E 29 41-3D 38 6E 24 7D 75 C3 DA
000004F7:  65 87 9F A5 32 76 22 C9

New:
000004E7:  84 6F 83 5F 7B 58 82 52-38 3D 12 37 5D 5F 7B 58
000004F7:  58 76 FD 2C C9 D8 45 92

I write 2-nd prog (2.pas) for decrypting this new block with all accesable
symbols (5 ones, for every accasable symbols, i use cycle from 1 to 0ffh,
then look into logfile...)

In logfile i find this strings:

...
=

 Done!

$$~9
...
-* DOnE!-*$^9
...

Hehe, first string look so good :), now we can calculate 2 last
symbols of password: 

4. I patch my 2-nd program and calc xorbyte (2 last symbols of password)
it's: |R

ok, i patch my 1-st prog and get 186 valid combinations, like:

---cut---
 p|R
 q|R
 s|R
!p|R
!q|R
!r|R
"q|R
"r|R
"s|R
...
---cut---

5. Run jmp!crk and... after ~20 min (with 'fuck', 'shit' etc)
i get this password:

.~|R

6. After debugging i get "jmp ax" ax=2D0h, and try to calculate another
valid password - nope, only this one.

All ' Done!' :)

p.s. Tnx to PSA for good time, IRC chatting and JMP!Crackme of couse.

  ó/·/ֿ    -[IHC]=[UCL]=[SDM]- E-mail: whshaman@iname.com
Ľ           [PGP B1 38 25 90 72 89 E6 74 60 DD AD 1B 63 26 D1 1E]

